Dutch researchers will be able to publish their controversial report on the Mifare Classic (Oyster) RFID chip in October, a Dutch judge ruled today.
Researchers from Radboud University in Nijmegen revealed two weeks ago they had cracked and cloned London's Oyster travelcard and the Dutch public transportation travelcard, which …

COMMENTS

Yaaaay!

Thank heavens good sense prevailed over corporate stupidity.... don't those idiots know any history? There was a nasty chappie some 70 years ago who thought that his nice type-writer machiney thingy was totally secure. Only nobody bothered to check if this was the case. Net result: they had a scrap with their neighbours and lost! Proper security is difficult. (apologies to the purists who'll scream over my scrappy posting... ) :)

Company tries to stamp on others' rights and fails

Cool...

Obfuscation is not Security

If a security flaw exists, hiding it does not provide security. Hiding it only makes it harder for users to protect themselves and for authorities to investigate when users are victimized. Companies that rely on obfuscation of flawed security should be subject to criminal as well as civil penalties for engaging in fraud.

Hang on...

I know of at least 1 major university which uses this chip in it's security cards. As well as libraries and laundries, a few minor facilities such as animal labs and a small nuclear reactor are also behind doors with RFID security.

Re: robin hood

'While "the publication of scientific studies carries a lot of weight in a democratic society", it seems the general (commenting) public is more excited about getting a free ride or beating "the man"'

If you're using this commenting section as "the general (commenting) public", at least at the time I'm posting this, it looks to be about 50/50 between people happy at having rights and liberties protected and those interested in a free ride. In addition, the "rights and liberties" brigade are clearly serious, while the "free ride" people seem to be mostly joking.

A better title...

'twas ever thus

The idea of a card that can be downloaded with money to be uploaded into various shops, hotels, means of transport, etc. seems to be a great idea.

Years ago we had the "Mondex" card, which was designed to be filled with cash that could be spent as easily as real cash.

The problem with all of these ideas (and this includes cash and banknotes) is forgery. If you can make it, I can copy it....eventually. For years the banks and similar establishments have relied on the security of banknotes, credit cards, on-line systems, etc. to provide a useful service to their customers. But it's an arms race and the criminals amongst us eventually find a way to hijack the system to defraud the public. Sometimes this is the result of some ingenious design or an advance in technology, but sometimes it's down to the providers being remarkably dumb and underestimating the intelligence of the criminals.

A classic case is the new "chip & PIN" card. It was designed to be impossible to crack or copy but, rather stupidly, it carries a magnetic strip containing exactly the same data, and which is about as difficult to copy as an audio tape. Doh!

We should remember that whenever a big corporation gets stiffed by forgers, it's you and I that end up paying for it.

Re: Hang on...

If they're that concerned then they've got a couple of months to replace their security systems. Always assuming they haven't already been hacked... At least now there's justification to invest in a different security system.

why do they keep calling them "smart" cards?

It isn't "smart" to embed authority into a programmable device. Duh! Smart is making the tokens cost more than the value they carry, so forgery is doing you a favor. Smart is people in the loop. With all their problems, they are still quite competitive with low power processors available in the forseeable future. Duh #2!

What is smart is to sue the maker for nod disclosing weaknesses in the system, making the vendor pay for replacement of the systems. How many times would you have to do this before the "smart" claim went away. Vendors might still sell the things, but they would have to humbly advertise their weaknesses as well as their strengths.

Anonymous? Because I can. Except for El Reg of course, and anyone snooping my IP address... And anyone analyzing the word usage in my posts. Aaaaand the black helicopter crowd who made me post this with their mind control rays. My wife said, "Don't take off that tinfoil", but did I listen? Oh nooooo.

Coop-Door Open, Possum's Got the Chickens

"Spokesperson for NXP Martijn van der Linden said that publishing the report would be "irresponsible" - understandably, the company fears criminals will be able to attack Mifare Classic-based systems."

Criminals already ARE ATTACKING your systems; the first ones are smart enough to keep a low profile so as to not draw attention to themselves. You ought to be thankful that the folks at Radboud did what your incompetent security toads failed to do. Do you really think THE CRIMINALS would notify you of the security hole?

Come on El Reg, let me post it...

Premium Prime Novel Power for ITs Youth Giving Properties

"I know of at least 1 major university which uses this chip in it's security cards. As well as libraries and laundries, a few minor facilities such as animal labs and a small nuclear reactor are also behind doors with RFID security.

This could be a problem" .... By Anonymous Coward

Posted Friday 18th July 2008 18:03 GMT

AC,

It is also an Opportunity for some Youthful Direction with Academe Intelligence Mentoring. So Very Typically ITs dDutch and AIVD. ESPecial Forces Defence.

Be Aware [and don't say you were not Warned] of Addictive NEUKlearer Entanglement with One Honey Mother of a Money Trap ... which is an Interesting Twist on the more Usual Man Trap/UltiMate Failing.

Cloned cards already in use in London?

The last couple of weeks have been a laugh a minute for me, at the Oyster big brother system and their corporate suppliers.

2 weeks ago a Uni announces they have figured out how to clone the cards. This means that the type of cards they cloned have been clonable since they have been on the market, even though the manufacturer claimed otherwise.

1 week ago the Oyster card system breaks in London, early on a Sunday morning. I assume this is the quietest time for TFL? If so, I guess the break was caused by the roll out of a patch or update. And I wonder what that patch did? Perhaps it was to try and mitigate the effects of possibly cloned cards?

The way the Oyster cards work is that the card itself holds the credit, so when you use an Oyster card it doesn't go away to a central point to confirm yes or no, like credit^W debt cards do. This means that if you were able to clone Oyster cards the clone would probably work successfully for quite a while. I bet the backend systems were not designed to take real-time authorisation checks, so if the change TFL made added this, or even just real-time auth for every 100th card presented, the central servers could have croaked it, killing the whole system for a several hours.

Of course, the Oyster maker's attitude of wanting security through obscurity overlooks a glaring piece of logic: If those Dutch researchers could figure out how to clone the cards, then other people also would be able to. It stands to reason that cloned cards are already being used.

Personally I am happy that the Oyster card thing is being toppled. Yeah, I know it adds convenience to travelling in the big smoke, but the tracking abilities it provides are horrific, and to me doen't make the system worthwhile. And the implementation in London means that the beaurocrats will always win if there is a dispute over fares and fines etc..

I'm waiting for the full story

You got to feel sorry for NXP

You have a large installed userbase and then someone wants to go public with something before you've had a chance to fix it. Revising the security and spinning a new chip out isn't quick and isn't cheap.

A few years back ITV digital had it's security totally cracked, everyone had fake cards, it collapsed and Sky could breath easy again. I wonder who did the crack on the ITV card?

Mondex,

Mondex was actually well engineered, even from the crypto point of view. It was the customer usage that wasn't well planned.

Mifare is a piece of junk, with "encryption" that even an undergrad can see problems with, and it should surprise no-one that an optimised attack has been devised. Given the amount of silicon used a competent engineer could have done a far better job.

Put simply mifare is unfit for purpose, and NXP would like to keep that quiet less they get their arses sued off by all the companies that have invested in it.

@shaggydog

No, they'd never let that study about how oysters feel pain, form strong family bonds, have an ultrasonic musical ability of unfathomable complexity and beauty yet are filled to the brim of toxic algae, heavy metals and fecal matter get out to the public. That sort of information undermines the very generation of the human species as it is vital to the reproductive strategies of millions; ripping off tfl is practically noble by comparison.

When I was 18 (20 years ago)

I suggested to a friend that car number plates could be cloned and used in conjunction with the same car colour/make/year. If crims had "his" car reg number on the "same" car, plod would waste a lot of time chasing him instead of the crims. He gave me a rather worried look and mumbled "that would work". It didn't seem to be as prolific back then as it is now.

Now plod has plate recognition, it makes me wonder how many crims have used this method to get stolen cars out of the country?

Correct me if I am wrong, but I seem to remember this university (on these hallowed pages) said that 127 bytes of virus code could be stored on these things. Crustacean Card has performed an Illegal operation and will be shut down, along with the rest of the system.

@Hihaa Free ride

Re: Yaaaay!

Ok, I am a purist here, and I'm not going to complain about your post. There were a few events in WW2 that can be argued to have won the war and I'll list them in order of importance (in my humble opinion).

1) Stalingrad. Thank the Russians for this victory - it prevented access to the Caucasus oil.

2) Enigma. Thanks to the Poles who cracked it. This one kept the Atlantic open, and kept the Allied troops supplied.

4) Battle of Britain. First one the British Empire can receive thanks for. Giving a base for attacking Germany, both for Empire and American troops.

A final, rather more on topic point, to anyone pointing out that Nuclear reactors might be protected with RFID chips. If someone is protecting their most valuable assets using only a few RFID chips then they deserve to have everything stolen. Furthermore, if something as key as a Nuclear reactor was being protected with only an RFID security system, then all manner of government regulations would be in the process of being broken.